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CLAIM AMENDMENTS 



1. (Currently amended) A method of restricting Address Resolution Protocol (ARP) 
table updates to updates originating from authorized subsystems, the method 
comprising: 

receiving an instruction to update an ARP table; 

determining whether a particular subsystem within a network device from which the 

instruction originated is authorized; and 
if the particular subsystem is authorized, then updating the ARP table based on the 

instruction. 

2. (Currently amended) The method of Claim 1, wherein determining whether the 
particular subsystem is authorized comprises determining whether the particular 
subsystem is contained in a set of one or more specified subsystems the particular 
subsystem is a Dynamic Host Configuration Protocol server, an Authentication, 
Authorization, Accounting (AAA) server or a Network Address Translator (NAT) . 

3. (Currently amended) The method of Claim 1, wherein determining whether the 
particular system is authorized comprises determining whether the particular 
subsystem is a Dynamic Host Configuration Protocol (DCHP) server is authorized . 

4. (Currently amended) The method of Claim 1, wherein determining whether the 
particular system is authorized comprises determining whether the particular 
subsystem is a Network Address Translator (NAT) is authorized . 

5. (Currently amended) The method of Claim 1, wherein determining whether the 
particular system is authorized comprises determining whether the particular 
subsystem is an Authentication, Authorization, Accounting (AAA) serveris 
authorized . 

6. (Original) The method of Claim 1, further comprising: 
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if the particular subsystem is not authorized, then preventing the ARP table from being 
updated based on the instruction. 

7. (Original) The method of Claim 1, further comprising: 

if the particular subsystem is not authorized, then performing the steps of: 

determining whether a particular network interface through which the 

instruction was received is contained in a set of one or more specified 
network interfaces; 

if the particular network interface is contained in the set, then preventing the 
ARP table from being updated based on the instruction; and 

if the particular network interface is not contained in the set, then updating the 
ARP table based on the instruction. 

8. (Original) The method of Claim 1, further comprising: 

if the particular subsystem is not authorized, then performing the steps of: 

determining whether a particular network address indicated by the instruction 

is contained in a set of one or more specified network addresses; 
if the particular network address is contained in the set, then preventing the 

ARP table from being updated based on the instruction; and 
if the particular network address is not contained in the set, then updating the 

ARP table based on the instruction. 

9. (Original) The method of Claim 1, further comprising: 

determining whether a specified amount of time has passed since a time indicated by a 
timestamp associated with an entry in the ARP table; and 

if the specified amount of time has passed, then removing the entry from the ARP 
table. 

10. (Original) The method of Claim 1, wherein the ARP table is updated only in 
response to instructions that are not ARP messages. 
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1 1 . (Original) The method of Claim 1, wherein determining whether the particular 
system is authorized comprises determining whether the particular subsystem is a 
Hypertext Transfer Protocol (HTTP) server. 

12. (Currently amended) A method of restricting Address Resolution Protocol (ARP) 
table updates to updates originating from authorized subsystems, the method 
comprising: 

receiving an instruction to update an ARP table; 

determining whether a particular network interface through which the instruction was 
received is contained in a set of one or more specified network interfaces; 

determining whether a particular network address indicated by the instruction is 
contained in a set of one or more specified network addresses; 

if the particular network interface is not contained in the set of one or more specified 
network interfaces, and if the particular network address indicated by the 
instruction is not contained in the set of one or more specified network 
addresses, then updating the ARP table based on the instruction; and 

if the particular network interface is contained in the set of one or more specified 

network interfaces, of if the particular network address is contained in the set 
of one or more specified network addresses, then performing steps comprising: 
determining whether a particular subsystem in a network element from which 

the instruction originated is authorized; 
if the particular subsystem is authorized, then updating the ARP table based on 

the instruction; and 
if the particular subsystem is not authorized, then preventing the ARP table 
from being updated based on the instruction. 

13. (Original) The method of Claim 12, wherein receiving the instruction to update 
the ARP table comprises receiving an ARP message that indicates an association 
between a network layer address and a data link layer address. 

14. (Currently Amended) A method of sending an instruction to update an Address 
Resolution Protocol (ARP) table in a system in which ARP table updates are restricted 
to updates originating from authorized subsystems, the method comprising: 
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receiving a request to update the ARP table from a Dynamic Host Configuration 

Protocol (DHCP) in a DHCP message that indicates a network layer address 

and a corresponding data link layer address ; 
in response to receiving the message, determining whether the network layer address 

is bound with a data link layer address in the ARP table ; and 
only if the network layer address is not bound with a data link layer address, then 

sending an instruction to update an ARP table. 

15. (Original) The method of Claim 14, wherein the instruction is to update the ARP 
table to contain a binding between the network layer address and a data link layer 
address of a DHCP client that sent the message. 

16. (Original) The method of Claim 14, further comprising: 

determining whether a lease associated with the network layer address has expired; 
and 

if the lease has expired, then sending an instruction to update the ARP table. 

17. (Original) The method of Claim 14, further comprising: 

determining whether a lease associated with the network layer address has expired; 
and 

if the lease has expired, then sending an instruction to remove, from the ARP table, an 



18. (Original) The method of Claim 14, further comprising: 

receiving a particular DHCP message that requests an extension of a lease; and 
in response to receiving the particular DHCP message, sending an instruction to 
update the ARP table. 

19. (Original) The method of Claim 14, further comprising: 
receiving a particular DHCP message that relinquishes a lease; and 

in response to receiving the particular DHCP message, sending an instruction to 
update the ARP table. 

20. (Original) The method of Claim 14, further comprising: 



entry that contains the network layer address. 
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if the network layer address is not bound with a data link layer address, then sending 
an instruction to start a process in connection with the network layer address. 

21. (Original) The method of Claim 14, further comprising: 

determining whether a lease associated with the network layer address has expired; 
and 

if the lease has expired, then sending an instruction to stop a process in connection 
with the network layer address. 

22. (Original) The method of Claim 14, further comprising: 
receiving a particular DHCP message that relinquishes a lease; and 

in response to receiving the particular DHCP message, sending an instruction to stop a 
process in connection with the network layer address. 

23. (Currently amended) A computer-readable storage medium carrying one or more 
sequences of instructions for restricting Address Resolution Protocol (ARP) table 
updates to updates originating from authorized subsystems, which instructions, when 
executed by one or more processors, cause the one or more processors to carry out the 
steps of: 

receiving an instruction to update an ARP table; 

determining whether a particular subsystem within a network device from which the 

instruction originated is authorized; 
if the particular subsystem is authorized, then updating the ARP table based on the 

instruction. 

24. (Currently amended) An apparatus for restricting Address Resolution Protocol (ARP) 
table updates to updates originating from authorized subsystems, comprising: 
means for receiving an instruction to update an ARP table; 

means for determining whether a particular subsystem within a network device from 

which the instruction originated is authorized; and 
means for updating the ARP table based on the instruction if the particular subsystem 

is authorized. 
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25. (Currently amended) An apparatus for restricting Address Resolution Protocol (ARP) 
table updates to updates originating from authorized subsystems, comprising: 

a network interface that is coupled to a data network for receiving one or more packet 

flows therefrom; 
a processor; and 

one or more stored sequences of instructions which, when executed by the processor, 
cause the processor to carry out the steps of: 
receiving an instruction to update an ARP table; 

determining whether a particular subsystem within a network device from 
which the instruction originated is authorized; and 

if the particular subsystem is authorized, then updating the ARP table based on 
the instruction. 

26. (New) The apparatus of Claim 24, wherein the particular subsystem is a Dynamic 
Host Configuration Protocol server, an Authentication, Authorization, Accounting 
(AAA) server or a Network Address Translator (NAT). 

27. (New) The apparatus of Claim 24, wherein determining whether the particular system 
is authorized comprises determining whether a Dynamic Host Configuration Protocol 
(DCHP) server is authorized. 

28. (New) The apparatus of Claim 24, wherein determining whether the particular system 
is authorized comprises determining whether a Network Address Translator (NAT) is 
authorized. 

29. (New) The apparatus of Claim 24, wherein determining whether the particular system 
is authorized comprises determining whether an Authentication, Authorization, 
Accounting (AAA) server is authorized. 

30. (New) The apparatus of Claim 24, further comprising: 

if the particular subsystem is not authorized, then preventing the ARP table from being 
updated based on the instruction. 
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31. (New) The apparatus of Claim 24, further comprising: 

means for determining whether the particular subsystem is not authorized; 
means for determining whether a particular network interface through which the 

instruction was received is contained in a set of one or more specified network 

interfaces; 

means for preventing the ARP table from being updated based on the instruction when 
the particular network interface is contained in the set; and 

means for updating the ARP table based on the instruction when the particular 
network interface is not contained in the set. 

32. (New) The apparatus of Claim 24, further comprising: 

means for determining whether the particular subsystem is not authorized; 
means for determining whether a particular network address indicated by the 

instruction is contained in a set of one or more specified network addresses; 
means for preventing the ARP table from being updated based on the instruction when 

the particular network address is contained in the set; and 
means for updating the ARP table based on the instruction when the particular 

network address is not contained in the set. 

33. (New) The apparatus of Claim 25, wherein the particular subsystem is a Dynamic 
Host Configuration Protocol server, an Authentication, Authorization, Accounting 
(AAA) server or a Network Address Translator (NAT). 

34. (New) The apparatus of Claim 25, wherein the instructions which when execute cause 
determining whether the particular system is authorized comprise instructions which 
when execute cause determining whether a Dynamic Host Configuration Protocol 
(DCHP) server is authorized. 

35. (New) The apparatus of Claim 25, wherein the instructions which when execute cause 
determining whether the particular system is authorized comprise instructions which 
when execute cause determining whether a Network Address Translator (NAT) is 
authorized. 
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36. (New) The apparatus of Claim 25, wherein the instructions which when execute cause 
determining whether the particular system is authorized comprise instructions which 
when execute cause determining whether an Authentication, Authorization, 
Accounting (AAA) server is authorized. 

37. (New) The apparatus of Claim 25, further comprising instructions which when 
execute cause preventing the ARP table from being updated based on the instruction if the 
particular subsystem is not authorized. 

38. (New) The apparatus of Claim 25, further comprising instructions which when 
execute cause: 

determining whether the particular subsystem is not authorized; 

determining whether a particular network interface through which the instruction was 

received is contained in a set of one or more specified network interfaces; 
preventing the ARP table from being updated based on the instruction when the 

particular network interface is contained in the set; and 
updating the ARP table based on the instruction when the particular network interface 

is not contained in the set. 

39. (New) The apparatus of Claim 25, further comprising instructions which when 
execute cause: 

determining whether the particular subsystem is not authorized; 

determining whether a particular network address indicated by the instruction is 

contained in a set of one or more specified network addresses; 
preventing the ARP table from being updated based on the instruction when the 

particular network address is contained in the set; and 
updating the ARP table based on the instruction when the particular network address is 

not contained in the set. 
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